Compare commits
41 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| a2f607ed76 | |||
| 9bbb9e5060 | |||
| 75eb23ace8 | |||
| 588b536eb1 | |||
| f6e239d940 | |||
| c4ecaf0a01 | |||
| 2acc8676db | |||
| 9966b2ae50 | |||
| 0d8225bd20 | |||
| ccae83d30e | |||
| 08e5e0a148 | |||
| 0d4266dc81 | |||
| c5d3d4be36 | |||
| 6170f973ff | |||
| 1c7262b6e2 | |||
| e9cceb62ce | |||
| 75904cfd05 | |||
| f8e81f7293 | |||
| d0c5da8cf1 | |||
| 5f784b3ef3 | |||
| fd652cdf40 | |||
| a5d765523b | |||
| 9b4bfac4ef | |||
| d7b0c262ba | |||
| 82e88c1e9b | |||
| 688fb93702 | |||
| 43bf5f3b39 | |||
| 7c7e8f5c18 | |||
| 81313b4c5d | |||
| 632746518a | |||
| a6f8d25673 | |||
| 9b0bef767c | |||
| 61085fbfef | |||
| 9f68246a01 | |||
| bc6fea5f73 | |||
| 972687a07b | |||
| aad21d4486 | |||
| 29f0e1dcf4 | |||
| e0d410ad6a | |||
| 95447b3f56 | |||
| 999c14c87b |
Vendored
+58
@@ -1,3 +1,16 @@
|
||||
shadow (1:4.16.0-2) experimental; urgency=medium
|
||||
|
||||
* passwd: switch Depends from login to login.defs
|
||||
login will again be installed on fewer systems, but existing installs
|
||||
will retain it (it is Protected: yes).
|
||||
* Drop login package, to allow takeover by util-linux.
|
||||
Move shadow.mo to Package: passwd, have passwd Replaces: older login.
|
||||
* login.defs: ship manpage
|
||||
* Re-add workarounds for tests in tests/tests directory.
|
||||
4.15.3 fixed this, but 4.16.0 happened earlier.
|
||||
|
||||
-- Chris Hofstaedtler <zeha@debian.org> Mon, 05 Aug 2024 02:36:29 +0200
|
||||
|
||||
shadow (1:4.16.0-1) experimental; urgency=medium
|
||||
|
||||
* New upstream version 4.16.0
|
||||
@@ -8,6 +21,51 @@ shadow (1:4.16.0-1) experimental; urgency=medium
|
||||
|
||||
-- Chris Hofstaedtler <zeha@debian.org> Fri, 02 Aug 2024 17:35:29 +0200
|
||||
|
||||
shadow (1:4.15.3-3) unstable; urgency=medium
|
||||
|
||||
* Forbid backslashes in user/group-names.
|
||||
They can still be used with --force-badname, but it's a start. In the
|
||||
long run I want to remove our relax patch, and upstream should fix the
|
||||
line continuation too. For #1076619.
|
||||
|
||||
-- Chris Hofstaedtler <zeha@debian.org> Sun, 21 Jul 2024 21:05:32 +0200
|
||||
|
||||
shadow (1:4.15.3-2) unstable; urgency=medium
|
||||
|
||||
[ Pino Toscano ]
|
||||
* d/rules: actually enable Linux-only options on Linux
|
||||
This enables --enable-logind and --with-audit.
|
||||
|
||||
[ Chris Hofstaedtler ]
|
||||
* Stop installing groupmems(8) (Closes: #1004472, LP: #2039541)
|
||||
* login.defs: remove obsolete/confusing comments
|
||||
* login.defs: resync comments with upstream
|
||||
* login.defs: remove incomplete list of unused vars
|
||||
* login.defs: remove obscure, defaulted vars
|
||||
* login.defs: remove vars ignored by su(1)
|
||||
* login.defs: remove CONSOLE_GROUPS, ignored with PAM
|
||||
* login.defs: remove CONSOLE, ignored with PAM
|
||||
|
||||
-- Chris Hofstaedtler <zeha@debian.org> Sun, 07 Jul 2024 15:30:38 +0200
|
||||
|
||||
shadow (1:4.15.3-1) unstable; urgency=medium
|
||||
|
||||
* New upstream version 4.15.3
|
||||
* tests: follow upstream subdir fix
|
||||
* Fix setup of test libsubid-04_nss
|
||||
* Drop login.postinst, obsoleted by #1074121
|
||||
* Bump Standards-Version to 4.7.0
|
||||
|
||||
-- Chris Hofstaedtler <zeha@debian.org> Sat, 06 Jul 2024 23:50:36 +0200
|
||||
|
||||
shadow (1:4.15.2-3) unstable; urgency=medium
|
||||
|
||||
* d/watch: add versionmangle for -rc
|
||||
* Revert "Use upstream's restrictions on user- and group names again".
|
||||
Breaks adduser's tests, see #1074306.
|
||||
|
||||
-- Chris Hofstaedtler <zeha@debian.org> Wed, 26 Jun 2024 12:40:34 +0200
|
||||
|
||||
shadow (1:4.15.2-2) unstable; urgency=medium
|
||||
|
||||
* useradd(8): Fix missing paragraph on username length
|
||||
|
||||
Vendored
-324
@@ -1,324 +0,0 @@
|
||||
#
|
||||
# /etc/login.defs - Configuration control definitions for the login package.
|
||||
#
|
||||
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
|
||||
# If unspecified, some arbitrary (and possibly incorrect) value will
|
||||
# be assumed. All other items are optional - if not specified then
|
||||
# the described action or option will be inhibited.
|
||||
#
|
||||
# Comment lines (lines beginning with "#") and blank lines are ignored.
|
||||
#
|
||||
# Modified for Linux. --marekm
|
||||
|
||||
# REQUIRED for useradd/userdel/usermod
|
||||
# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
|
||||
# MAIL_DIR takes precedence.
|
||||
#
|
||||
# Essentially:
|
||||
# - MAIL_DIR defines the location of users mail spool files
|
||||
# (for mbox use) by appending the username to MAIL_DIR as defined
|
||||
# below.
|
||||
# - MAIL_FILE defines the location of the users mail spool files as the
|
||||
# fully-qualified filename obtained by prepending the user home
|
||||
# directory before $MAIL_FILE
|
||||
#
|
||||
# NOTE: This is no more used for setting up users MAIL environment variable
|
||||
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
|
||||
# job of the pam_mail PAM modules
|
||||
# See default PAM configuration files provided for
|
||||
# login, su, etc.
|
||||
#
|
||||
# This is a temporary situation: setting these variables will soon
|
||||
# move to /etc/default/useradd and the variables will then be
|
||||
# no more supported
|
||||
MAIL_DIR /var/mail
|
||||
#MAIL_FILE .mail
|
||||
|
||||
#
|
||||
# Enable display of unknown usernames when login failures are recorded.
|
||||
#
|
||||
# WARNING: Unknown usernames may become world readable.
|
||||
# See #290803 and #298773 for details about how this could become a security
|
||||
# concern
|
||||
LOG_UNKFAIL_ENAB no
|
||||
|
||||
#
|
||||
# Enable logging of successful logins
|
||||
#
|
||||
LOG_OK_LOGINS no
|
||||
|
||||
#
|
||||
# Enable "syslog" logging of su activity - in addition to sulog file logging.
|
||||
# SYSLOG_SG_ENAB does the same for newgrp and sg.
|
||||
#
|
||||
SYSLOG_SU_ENAB yes
|
||||
SYSLOG_SG_ENAB yes
|
||||
|
||||
#
|
||||
# If defined, all su activity is logged to this file.
|
||||
#
|
||||
#SULOG_FILE /var/log/sulog
|
||||
|
||||
#
|
||||
# If defined, file which maps tty line to TERM environment parameter.
|
||||
# Each line of the file is in a format something like "vt100 tty01".
|
||||
#
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
|
||||
#
|
||||
# If defined, the command name to display when running "su -". For
|
||||
# example, if this is defined as "su" then a "ps" will display the
|
||||
# command is "-su". If not defined, then "ps" would display the
|
||||
# name of the shell actually being run, e.g. something like "-sh".
|
||||
#
|
||||
SU_NAME su
|
||||
|
||||
#
|
||||
# If defined, file which inhibits all the usual chatter during the login
|
||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||
# user's name or shell are found in the file. If not a full pathname, then
|
||||
# hushed mode will be enabled if the file exists in the user's home directory.
|
||||
#
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
|
||||
#
|
||||
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
||||
#
|
||||
# (they are minimal, add the rest in the shell startup files)
|
||||
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
|
||||
|
||||
#
|
||||
# Terminal permissions
|
||||
#
|
||||
# TTYGROUP Login tty will be assigned this group ownership.
|
||||
# TTYPERM Login tty will be set to this permission.
|
||||
#
|
||||
# If you have a "write" program which is "setgid" to a special group
|
||||
# which owns the terminals, define TTYGROUP to the group number and
|
||||
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
|
||||
# TTYPERM to either 622 or 600.
|
||||
#
|
||||
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
|
||||
# However, the default and recommended value for TTYPERM is still 0600
|
||||
# to not allow anyone to write to anyone else console or terminal
|
||||
|
||||
# Users can still allow other people to write them by issuing
|
||||
# the "mesg y" command.
|
||||
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
|
||||
#
|
||||
# Login configuration initializations:
|
||||
#
|
||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||
#
|
||||
# The ERASECHAR and KILLCHAR are used only on System V machines.
|
||||
#
|
||||
ERASECHAR 0177
|
||||
KILLCHAR 025
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
HOME_MODE 0700
|
||||
|
||||
#
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
#SYS_UID_MIN 100
|
||||
#SYS_UID_MAX 999
|
||||
# Extra per user uids
|
||||
SUB_UID_MIN 100000
|
||||
SUB_UID_MAX 600100000
|
||||
SUB_UID_COUNT 65536
|
||||
|
||||
#
|
||||
# Min/max values for automatic gid selection in groupadd
|
||||
#
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
#SYS_GID_MIN 100
|
||||
#SYS_GID_MAX 999
|
||||
# Extra per user group ids
|
||||
SUB_GID_MIN 100000
|
||||
SUB_GID_MAX 600100000
|
||||
SUB_GID_COUNT 65536
|
||||
|
||||
#
|
||||
# Max number of login retries if password is bad. This will most likely be
|
||||
# overriden by PAM, since the default pam_unix module has it's own built
|
||||
# in of 3 retries. However, this is a safe fallback in case you are using
|
||||
# an authentication module that does not enforce PAM_MAXTRIES.
|
||||
#
|
||||
LOGIN_RETRIES 5
|
||||
|
||||
#
|
||||
# Max time in seconds for login
|
||||
#
|
||||
LOGIN_TIMEOUT 60
|
||||
|
||||
#
|
||||
# Which fields may be changed by regular users using chfn - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
# phone, home phone). If not defined, no changes are allowed.
|
||||
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
||||
#
|
||||
CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
# Default is no.
|
||||
#
|
||||
DEFAULT_HOME yes
|
||||
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
# the user to be removed (passed as the first argument).
|
||||
#
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
# If set to yes, userdel will remove the user's group if it contains no
|
||||
# more members, and useradd will create by default a group with the name
|
||||
# of the user.
|
||||
#
|
||||
# Other former uses of this variable such as setting the umask when
|
||||
# user==primary group are not used in PAM environments, such as Debian
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
|
||||
#
|
||||
# Instead of the real user shell, the program specified by this parameter
|
||||
# will be launched, although its visible name (argv[0]) will be the shell's.
|
||||
# The program may do whatever it wants (logging, additional authentification,
|
||||
# banner, ...) before running the actual shell.
|
||||
#
|
||||
# FAKE_SHELL /bin/fakeshell
|
||||
|
||||
#
|
||||
# If defined, either full pathname of a file containing device names or
|
||||
# a ":" delimited list of device names. Root logins will be allowed only
|
||||
# upon these devices.
|
||||
#
|
||||
# This variable is used by login and su.
|
||||
#
|
||||
#CONSOLE /etc/consoles
|
||||
#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
|
||||
#
|
||||
# List of groups to add to the user's supplementary group set
|
||||
# when logging in on the console (as determined by the CONSOLE
|
||||
# setting). Default is none.
|
||||
#
|
||||
# Use with caution - it is possible for users to gain permanent
|
||||
# access to these groups, even when not logged in on the console.
|
||||
# How to do it is left as an exercise for the reader...
|
||||
#
|
||||
# This variable is used by login and su.
|
||||
#
|
||||
#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
|
||||
#
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
||||
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
||||
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
# Note: It is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
ENCRYPT_METHOD YESCRYPT
|
||||
|
||||
#
|
||||
# The pwck(8) utility emits a warning for any system account with a home
|
||||
# directory that does not exist. Some system accounts intentionally do
|
||||
# not have a home directory. Such accounts may have this string as
|
||||
# their home directory in /etc/passwd to avoid a spurious warning.
|
||||
#
|
||||
NONEXISTENT /nonexistent
|
||||
|
||||
#
|
||||
# Allow newuidmap and newgidmap when running under an alternative
|
||||
# primary group.
|
||||
#
|
||||
#GRANT_AUX_GROUP_SUBIDS yes
|
||||
|
||||
#
|
||||
# Select the HMAC cryptography algorithm.
|
||||
# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
# authentication code.
|
||||
#
|
||||
# Note: It is recommended to check hmac(3) to see the possible algorithms
|
||||
# that are available in your system.
|
||||
#
|
||||
#HMAC_CRYPTO_ALGO SHA512
|
||||
|
||||
################# OBSOLETED BY PAM ##############
|
||||
# #
|
||||
# These options are now handled by PAM. Please #
|
||||
# edit the appropriate file in /etc/pam.d/ to #
|
||||
# enable the equivelants of them.
|
||||
#
|
||||
###############
|
||||
|
||||
#MOTD_FILE
|
||||
#DIALUPS_CHECK_ENAB
|
||||
#LASTLOG_ENAB
|
||||
#MAIL_CHECK_ENAB
|
||||
#OBSCURE_CHECKS_ENAB
|
||||
#PORTTIME_CHECKS_ENAB
|
||||
#SU_WHEEL_ONLY
|
||||
#CRACKLIB_DICTPATH
|
||||
#PASS_CHANGE_TRIES
|
||||
#PASS_ALWAYS_WARN
|
||||
#ENVIRON_FILE
|
||||
#NOLOGINS_FILE
|
||||
#ISSUE_FILE
|
||||
#PASS_MIN_LEN
|
||||
#PASS_MAX_LEN
|
||||
#ULIMIT
|
||||
#ENV_HZ
|
||||
#CHFN_AUTH
|
||||
#CHSH_AUTH
|
||||
#FAIL_DELAY
|
||||
|
||||
################# OBSOLETED #######################
|
||||
# #
|
||||
# These options are no more handled by shadow. #
|
||||
# #
|
||||
# Shadow utilities will display a warning if they #
|
||||
# still appear. #
|
||||
# #
|
||||
###################################################
|
||||
|
||||
# CLOSE_SESSIONS
|
||||
# LOGIN_STRING
|
||||
# NO_PASSWORD_CONSOLE
|
||||
# QMAIL_DIR
|
||||
|
||||
|
||||
|
||||
Vendored
+6
-24
@@ -29,7 +29,7 @@ Build-Depends:
|
||||
quilt,
|
||||
systemd-dev [linux-any],
|
||||
xsltproc <!nodoc>
|
||||
Standards-Version: 4.6.1
|
||||
Standards-Version: 4.7.0
|
||||
Vcs-Git: https://salsa.debian.org/debian/shadow.git -b master
|
||||
Vcs-Browser: https://salsa.debian.org/debian/shadow
|
||||
Homepage: https://github.com/shadow-maint/shadow
|
||||
@@ -39,42 +39,24 @@ Package: passwd
|
||||
Architecture: any
|
||||
Multi-Arch: foreign
|
||||
Depends:
|
||||
base-passwd (>= 3.6.4),
|
||||
libpam-modules,
|
||||
login
|
||||
login.defs
|
||||
Recommends:
|
||||
sensible-utils
|
||||
Replaces:
|
||||
login (<< 1:4.16.0-2~)
|
||||
Description: change and administer password and group data
|
||||
This package includes passwd, chsh, chfn, and many other programs to
|
||||
maintain password and group data.
|
||||
.
|
||||
Shadow passwords are supported. See /usr/share/doc/passwd/README.Debian
|
||||
|
||||
Package: login
|
||||
Architecture: any
|
||||
Multi-Arch: foreign
|
||||
Protected: yes
|
||||
Depends:
|
||||
libpam-modules,
|
||||
libpam-runtime
|
||||
Breaks:
|
||||
hurd (<< 20140206~) [hurd-any]
|
||||
Conflicts:
|
||||
python-4suite (<< 0.99cvs20060405-1)
|
||||
Replaces:
|
||||
hurd (<< 20140206~) [hurd-any]
|
||||
Pre-Depends:
|
||||
login.defs (>= 1:4.16.0-1~)
|
||||
Description: system login tools
|
||||
This package provides support for console-based logins and for
|
||||
changing effective user or group IDs, including:
|
||||
* login, the program that invokes a user shell on a virtual terminal;
|
||||
* nologin, a dummy shell for disabled user accounts;
|
||||
|
||||
Package: login.defs
|
||||
Architecture: all
|
||||
Multi-Arch: foreign
|
||||
Replaces:
|
||||
login (<< 1:4.16.0-1~)
|
||||
login (<< 1:4.16.0-2~)
|
||||
Description: system user management configuration
|
||||
This package provides the login.defs configuration file,
|
||||
used by otherwise unrelated tools managing system users.
|
||||
|
||||
Vendored
-5
@@ -22,11 +22,6 @@ packages:
|
||||
path: usr/bin/expiry
|
||||
group: "shadow"
|
||||
mode: "u=rwx,go=rxs"
|
||||
login:
|
||||
transformations:
|
||||
- path-metadata:
|
||||
path: usr/bin/newgrp
|
||||
mode: "u=rwxs,go=rx"
|
||||
uidmap:
|
||||
transformations:
|
||||
- path-metadata:
|
||||
|
||||
Vendored
+1
-1
@@ -1 +1 @@
|
||||
debian/config/login.defs etc
|
||||
etc/login.defs etc
|
||||
|
||||
Vendored
+2
@@ -0,0 +1,2 @@
|
||||
usr/share/man/*/man5/login.defs.5
|
||||
usr/share/man/man5/login.defs.5
|
||||
Vendored
-1
@@ -1 +0,0 @@
|
||||
usr/share/lintian/overrides
|
||||
Vendored
-4
@@ -1,4 +0,0 @@
|
||||
bin/login usr/bin
|
||||
sbin/nologin usr/sbin
|
||||
usr/bin/newgrp
|
||||
usr/share/locale/*/LC_MESSAGES/shadow.mo
|
||||
Vendored
-1
@@ -1 +0,0 @@
|
||||
usr/bin/newgrp usr/bin/sg
|
||||
Vendored
-1
@@ -1 +0,0 @@
|
||||
login: elevated-privileges 4755 root/root [usr/bin/newgrp]
|
||||
Vendored
-2
@@ -1,2 +0,0 @@
|
||||
rm_conffile /etc/securetty 1:4.7-1~
|
||||
rm_conffile /etc/login.defs 1:4.16.0-1~
|
||||
Vendored
-10
@@ -1,10 +0,0 @@
|
||||
usr/share/man/*/man1/login.1
|
||||
usr/share/man/*/man1/newgrp.1
|
||||
usr/share/man/*/man1/sg.1
|
||||
usr/share/man/*/man5/login.defs.5
|
||||
usr/share/man/*/man8/nologin.8
|
||||
usr/share/man/man1/login.1
|
||||
usr/share/man/man1/newgrp.1
|
||||
usr/share/man/man1/sg.1
|
||||
usr/share/man/man5/login.defs.5
|
||||
usr/share/man/man8/nologin.8
|
||||
Vendored
-96
@@ -1,96 +0,0 @@
|
||||
#
|
||||
# The PAM configuration file for the Shadow `login' service
|
||||
#
|
||||
|
||||
# Enforce a minimal delay in case of failure (in microseconds).
|
||||
# (Replaces the `FAIL_DELAY' setting from login.defs)
|
||||
# Note that other modules may require another minimal delay. (for example,
|
||||
# to disable any delay, you should add the nodelay option to pam_unix)
|
||||
auth optional pam_faildelay.so delay=3000000
|
||||
|
||||
# Outputs an issue file prior to each login prompt (Replaces the
|
||||
# ISSUE_FILE option from login.defs). Uncomment for use
|
||||
# auth required pam_issue.so issue=/etc/issue
|
||||
|
||||
# Disallows other than root logins when /etc/nologin exists
|
||||
# (Replaces the `NOLOGINS_FILE' option from login.defs)
|
||||
auth requisite pam_nologin.so
|
||||
|
||||
# SELinux needs to be the first session rule. This ensures that any
|
||||
# lingering context has been cleared. Without this it is possible
|
||||
# that a module could execute code in the wrong domain.
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
|
||||
|
||||
# Sets the loginuid process attribute
|
||||
session required pam_loginuid.so
|
||||
|
||||
# Prints the message of the day upon successful login.
|
||||
# (Replaces the `MOTD_FILE' option in login.defs)
|
||||
# This includes a dynamically generated part from /run/motd.dynamic
|
||||
# and a static (admin-editable) part from /etc/motd.
|
||||
session optional pam_motd.so motd=/run/motd.dynamic
|
||||
session optional pam_motd.so noupdate
|
||||
|
||||
# SELinux needs to intervene at login time to ensure that the process
|
||||
# starts in the proper default security context. Only sessions which are
|
||||
# intended to run in the user's context should be run after this.
|
||||
# pam_selinux.so changes the SELinux context of the used TTY and configures
|
||||
# SELinux in order to transition to the user context with the next execve()
|
||||
# call.
|
||||
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
|
||||
# When the module is present, "required" would be sufficient (When SELinux
|
||||
# is disabled, this returns success.)
|
||||
|
||||
# This module parses environment configuration file(s)
|
||||
# and also allows you to use an extended config
|
||||
# file /etc/security/pam_env.conf.
|
||||
#
|
||||
# parsing /etc/environment needs "readenv=1"
|
||||
session required pam_env.so readenv=1
|
||||
# locale variables can also be set in /etc/default/locale
|
||||
# reading this file *in addition to /etc/environment* does not hurt
|
||||
session required pam_env.so readenv=1 envfile=/etc/default/locale
|
||||
|
||||
# Standard Un*x authentication.
|
||||
@include common-auth
|
||||
|
||||
# This allows certain extra groups to be granted to a user
|
||||
# based on things like time of day, tty, service, and user.
|
||||
# Please edit /etc/security/group.conf to fit your needs
|
||||
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
|
||||
auth optional pam_group.so
|
||||
|
||||
# Uncomment and edit /etc/security/time.conf if you need to set
|
||||
# time restraint on logins.
|
||||
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
|
||||
# as well as /etc/porttime)
|
||||
# account requisite pam_time.so
|
||||
|
||||
# Uncomment and edit /etc/security/access.conf if you need to
|
||||
# set access limits.
|
||||
# (Replaces /etc/login.access file)
|
||||
# account required pam_access.so
|
||||
|
||||
# Sets up user limits according to /etc/security/limits.conf
|
||||
# (Replaces the use of /etc/limits in old login)
|
||||
session required pam_limits.so
|
||||
|
||||
# Prints the status of the user's mailbox upon successful login
|
||||
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
|
||||
#
|
||||
# This also defines the MAIL environment variable
|
||||
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
|
||||
# in /etc/login.defs to make sure that removing a user
|
||||
# also removes the user's mail spool file.
|
||||
# See comments in /etc/login.defs
|
||||
session optional pam_mail.so standard
|
||||
|
||||
# Create a new session keyring.
|
||||
session optional pam_keyinit.so force revoke
|
||||
|
||||
# Standard Un*x account and session
|
||||
@include common-account
|
||||
@include common-session
|
||||
@include common-password
|
||||
Vendored
-21
@@ -1,21 +0,0 @@
|
||||
#!/bin/sh
|
||||
set -e
|
||||
|
||||
if [ "$1" = "configure" ]; then
|
||||
# Create subuid/subgid if missing
|
||||
if [ ! -e "$DPKG_ROOT/etc/subuid" ]; then
|
||||
touch "$DPKG_ROOT/etc/subuid"
|
||||
chown 0:0 "$DPKG_ROOT/etc/subuid"
|
||||
chmod 644 "$DPKG_ROOT/etc/subuid"
|
||||
fi
|
||||
|
||||
if [ ! -e "$DPKG_ROOT/etc/subgid" ]; then
|
||||
touch "$DPKG_ROOT/etc/subgid"
|
||||
chown 0:0 "$DPKG_ROOT/etc/subgid"
|
||||
chmod 644 "$DPKG_ROOT/etc/subgid"
|
||||
fi
|
||||
fi
|
||||
|
||||
#DEBHELPER#
|
||||
|
||||
exit 0
|
||||
Vendored
+15
-1
@@ -1,4 +1,6 @@
|
||||
bin/groups
|
||||
bin/login
|
||||
# Workaround debhelper complaining about login.defs, although we install it.
|
||||
etc/login.defs
|
||||
etc/pam.d/chfn
|
||||
etc/pam.d/chage
|
||||
@@ -14,27 +16,39 @@ etc/pam.d/passwd
|
||||
etc/pam.d/useradd
|
||||
etc/pam.d/userdel
|
||||
etc/pam.d/usermod
|
||||
sbin/nologin
|
||||
usr/bin/newgrp
|
||||
usr/bin/faillog
|
||||
usr/bin/sg
|
||||
usr/lib/*/libsubid.la
|
||||
usr/sbin/groupmems
|
||||
usr/sbin/logoutd
|
||||
usr/sbin/vigr
|
||||
usr/share/man/*/man1/groups.1
|
||||
usr/share/man/*/man1/login.1
|
||||
usr/share/man/*/man1/logoutd.1
|
||||
usr/share/man/*/man1/newgrp.1
|
||||
usr/share/man/*/man1/sg.1
|
||||
usr/share/man/*/man1/su.1
|
||||
usr/share/man/*/man3/getspnam.3
|
||||
usr/share/man/*/man3/shadow.3
|
||||
usr/share/man/*/man5/faillog.5
|
||||
usr/share/man/*/man5/suauth.5
|
||||
usr/share/man/*/man8/faillog.8
|
||||
usr/share/man/*/man8/groupmems.8
|
||||
usr/share/man/*/man8/logoutd.8
|
||||
usr/share/man/*/man8/nologin.8
|
||||
usr/share/man/man1/groups.1
|
||||
usr/share/man/man1/login.1
|
||||
usr/share/man/man1/logoutd.1
|
||||
usr/share/man/man1/newgrp.1
|
||||
usr/share/man/man1/sg.1
|
||||
usr/share/man/man1/su.1
|
||||
usr/share/man/man3/getspnam.3
|
||||
usr/share/man/man3/shadow.3
|
||||
usr/share/man/man5/faillog.5
|
||||
usr/share/man/man5/suauth.5
|
||||
usr/share/man/man8/faillog.8
|
||||
usr/share/man/man8/groupmems.8
|
||||
usr/share/man/man8/logoutd.8
|
||||
|
||||
usr/share/man/man8/nologin.8
|
||||
|
||||
Vendored
+1
-1
@@ -11,7 +11,6 @@ usr/sbin/chpasswd
|
||||
usr/sbin/cppw
|
||||
usr/sbin/groupadd
|
||||
usr/sbin/groupdel
|
||||
usr/sbin/groupmems
|
||||
usr/sbin/groupmod
|
||||
usr/sbin/grpck
|
||||
usr/sbin/grpconv
|
||||
@@ -24,3 +23,4 @@ usr/sbin/useradd
|
||||
usr/sbin/userdel
|
||||
usr/sbin/usermod
|
||||
usr/sbin/vipw
|
||||
usr/share/locale/*/LC_MESSAGES/shadow.mo
|
||||
|
||||
Vendored
-2
@@ -15,7 +15,6 @@ usr/share/man/*/man8/chgpasswd.8
|
||||
usr/share/man/*/man8/chpasswd.8
|
||||
usr/share/man/*/man8/groupadd.8
|
||||
usr/share/man/*/man8/groupdel.8
|
||||
usr/share/man/*/man8/groupmems.8
|
||||
usr/share/man/*/man8/groupmod.8
|
||||
usr/share/man/*/man8/grpck.8
|
||||
usr/share/man/*/man8/grpconv.8
|
||||
@@ -45,7 +44,6 @@ usr/share/man/man8/chgpasswd.8
|
||||
usr/share/man/man8/chpasswd.8
|
||||
usr/share/man/man8/groupadd.8
|
||||
usr/share/man/man8/groupdel.8
|
||||
usr/share/man/man8/groupmems.8
|
||||
usr/share/man/man8/groupmod.8
|
||||
usr/share/man/man8/grpck.8
|
||||
usr/share/man/man8/grpconv.8
|
||||
|
||||
@@ -0,0 +1,514 @@
|
||||
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
|
||||
Date: Sun, 7 Jul 2024 14:06:39 +0200
|
||||
Subject: Adapt login.defs for Debian
|
||||
|
||||
Remove settings only applicable to shadow's su, which we do not use.
|
||||
Remove settings only applicable without PAM support enabled.
|
||||
Remove obscure commented-out settings.
|
||||
---
|
||||
etc/login.defs | 372 ++++++++-------------------------------------------------
|
||||
1 file changed, 51 insertions(+), 321 deletions(-)
|
||||
|
||||
diff --git a/etc/login.defs b/etc/login.defs
|
||||
index 33622c2..f44f381 100644
|
||||
--- a/etc/login.defs
|
||||
+++ b/etc/login.defs
|
||||
@@ -1,24 +1,38 @@
|
||||
#
|
||||
# /etc/login.defs - Configuration control definitions for the shadow package.
|
||||
#
|
||||
-# $Id$
|
||||
-#
|
||||
|
||||
-#
|
||||
-# Delay in seconds before being allowed another attempt after a login failure
|
||||
-# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
|
||||
-# pam_unix(8) enforces a 2s delay)
|
||||
-#
|
||||
-FAIL_DELAY 3
|
||||
-
|
||||
-#
|
||||
-# Enable logging and display of /var/log/faillog login(1) failure info.
|
||||
-#
|
||||
-FAILLOG_ENAB yes
|
||||
+# REQUIRED for useradd/userdel/usermod
|
||||
+# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
|
||||
+# MAIL_DIR takes precedence.
|
||||
+#
|
||||
+# Essentially:
|
||||
+# - MAIL_DIR defines the location of users mail spool files
|
||||
+# (for mbox use) by appending the username to MAIL_DIR as defined
|
||||
+# below.
|
||||
+# - MAIL_FILE defines the location of the users mail spool files as the
|
||||
+# fully-qualified filename obtained by prepending the user home
|
||||
+# directory before $MAIL_FILE
|
||||
+#
|
||||
+# NOTE: This is no more used for setting up users MAIL environment variable
|
||||
+# which is, starting from shadow 4.0.12-1 in Debian, entirely the
|
||||
+# job of the pam_mail PAM modules
|
||||
+# See default PAM configuration files provided for
|
||||
+# login, su, etc.
|
||||
+#
|
||||
+# This is a temporary situation: setting these variables will soon
|
||||
+# move to /etc/default/useradd and the variables will then be
|
||||
+# no more supported
|
||||
+MAIL_DIR /var/mail
|
||||
+#MAIL_FILE .mail
|
||||
|
||||
#
|
||||
# Enable display of unknown usernames when login(1) failures are recorded.
|
||||
#
|
||||
+# WARNING: Unknown usernames may become world readable.
|
||||
+# See #290803 and #298773 for details about how this could become a security
|
||||
+# concern
|
||||
LOG_UNKFAIL_ENAB no
|
||||
|
||||
#
|
||||
@@ -26,110 +40,12 @@ LOG_UNKFAIL_ENAB no
|
||||
#
|
||||
LOG_OK_LOGINS no
|
||||
|
||||
-#
|
||||
-# Enable logging and display of /var/log/lastlog login(1) time info.
|
||||
-#
|
||||
-LASTLOG_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# Limit the highest user ID number for which the lastlog entries should
|
||||
-# be updated.
|
||||
-#
|
||||
-# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
||||
-# lastlog entries.
|
||||
-#
|
||||
-#LASTLOG_UID_MAX
|
||||
-
|
||||
-#
|
||||
-# Enable checking and display of mailbox status upon login.
|
||||
-#
|
||||
-# Disable if the shell startup files already check for mail
|
||||
-# ("mailx -e" or equivalent).
|
||||
-#
|
||||
-MAIL_CHECK_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# Enable additional checks upon password changes.
|
||||
-#
|
||||
-OBSCURE_CHECKS_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# Enable checking of time restrictions specified in /etc/porttime.
|
||||
-#
|
||||
-PORTTIME_CHECKS_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
|
||||
-#
|
||||
-QUOTAS_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
|
||||
-# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
|
||||
-#
|
||||
-SYSLOG_SU_ENAB yes
|
||||
-SYSLOG_SG_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# If defined, either full pathname of a file containing device names or
|
||||
-# a ":" delimited list of device names. Root logins will be allowed only
|
||||
-# from these devices.
|
||||
-#
|
||||
-CONSOLE /etc/securetty
|
||||
-#CONSOLE console:tty01:tty02:tty03:tty04
|
||||
-
|
||||
-#
|
||||
-# If defined, all su(1) activity is logged to this file.
|
||||
-#
|
||||
-#SULOG_FILE /var/log/sulog
|
||||
-
|
||||
-#
|
||||
-# If defined, ":" delimited list of "message of the day" files to
|
||||
-# be displayed upon login.
|
||||
-#
|
||||
-MOTD_FILE /etc/motd
|
||||
-#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
|
||||
-
|
||||
-#
|
||||
-# If defined, this file will be output before each login(1) prompt.
|
||||
-#
|
||||
-#ISSUE_FILE /etc/issue
|
||||
-
|
||||
#
|
||||
# If defined, file which maps tty line to TERM environment parameter.
|
||||
# Each line of the file is in a format similar to "vt100 tty01".
|
||||
#
|
||||
#TTYTYPE_FILE /etc/ttytype
|
||||
|
||||
-#
|
||||
-# If defined, login(1) failures will be logged here in a utmp format.
|
||||
-# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
|
||||
-#
|
||||
-FTMP_FILE /var/log/btmp
|
||||
-
|
||||
-#
|
||||
-# If defined, name of file whose presence will inhibit non-root
|
||||
-# logins. The content of this file should be a message indicating
|
||||
-# why logins are inhibited.
|
||||
-#
|
||||
-NOLOGINS_FILE /etc/nologin
|
||||
-
|
||||
-#
|
||||
-# If defined, the command name to display when running "su -". For
|
||||
-# example, if this is defined as "su" then ps(1) will display the
|
||||
-# command as "-su". If not defined, then ps(1) will display the
|
||||
-# name of the shell actually being run, e.g. something like "-sh".
|
||||
-#
|
||||
-SU_NAME su
|
||||
-
|
||||
-#
|
||||
-# *REQUIRED*
|
||||
-# Directory where mailboxes reside, _or_ name of file, relative to the
|
||||
-# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
||||
-#
|
||||
-MAIL_DIR /var/spool/mail
|
||||
-#MAIL_FILE .mail
|
||||
-
|
||||
#
|
||||
# If defined, file which inhibits all the usual chatter during the login
|
||||
# sequence. If a full pathname, then hushed mode will be enabled if the
|
||||
@@ -139,27 +55,12 @@ MAIL_DIR /var/spool/mail
|
||||
HUSHLOGIN_FILE .hushlogin
|
||||
#HUSHLOGIN_FILE /etc/hushlogins
|
||||
|
||||
-#
|
||||
-# If defined, either a TZ environment parameter spec or the
|
||||
-# fully-rooted pathname of a file containing such a spec.
|
||||
-#
|
||||
-#ENV_TZ TZ=CST6CDT
|
||||
-#ENV_TZ /etc/tzname
|
||||
-
|
||||
-#
|
||||
-# If defined, an HZ environment parameter spec.
|
||||
-#
|
||||
-# for Linux/x86
|
||||
-ENV_HZ HZ=100
|
||||
-# For Linux/Alpha...
|
||||
-#ENV_HZ HZ=1024
|
||||
-
|
||||
#
|
||||
# *REQUIRED* The default PATH settings, for superuser and normal users.
|
||||
#
|
||||
# (they are minimal, add the rest in the shell startup files)
|
||||
-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
||||
-ENV_PATH PATH=/bin:/usr/bin
|
||||
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||
+ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
|
||||
|
||||
#
|
||||
# Terminal permissions
|
||||
@@ -172,6 +73,13 @@ ENV_PATH PATH=/bin:/usr/bin
|
||||
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
|
||||
# set TTYPERM to either 622 or 600.
|
||||
#
|
||||
+# In Debian, write(1) similar programs are setgid tty.
|
||||
+# However, the default and recommended value for TTYPERM is still 0600
|
||||
+# to not allow anyone to write to anyone else console or terminal.
|
||||
+#
|
||||
+# Users can still allow other people to write them by issuing
|
||||
+# the "mesg y" command.
|
||||
+#
|
||||
TTYGROUP tty
|
||||
TTYPERM 0600
|
||||
|
||||
@@ -180,61 +88,35 @@ TTYPERM 0600
|
||||
#
|
||||
# ERASECHAR Terminal ERASE character ('\010' = backspace).
|
||||
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
|
||||
-# ULIMIT Default "ulimit" value.
|
||||
#
|
||||
# The ERASECHAR and KILLCHAR are used only on System V machines.
|
||||
-# The ULIMIT is used only if the system supports it.
|
||||
-# (now it works with setrlimit too; ulimit is in 512-byte units)
|
||||
-#
|
||||
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
|
||||
#
|
||||
ERASECHAR 0177
|
||||
KILLCHAR 025
|
||||
-#ULIMIT 2097152
|
||||
-
|
||||
-# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
||||
-# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
||||
-# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
||||
-# home directories if HOME_MODE is not set.
|
||||
-# 022 is the default value, but 027, or even 077, could be considered
|
||||
-# for increased privacy. There is no One True Answer here: each sysadmin
|
||||
-# must make up their mind.
|
||||
-UMASK 022
|
||||
|
||||
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
||||
# home directories.
|
||||
-# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
||||
-#HOME_MODE 0700
|
||||
+HOME_MODE 0700
|
||||
|
||||
#
|
||||
# Password aging controls:
|
||||
#
|
||||
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
||||
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
||||
-# PASS_MIN_LEN Minimum acceptable password length.
|
||||
# PASS_WARN_AGE Number of days warning given before a password expires.
|
||||
#
|
||||
PASS_MAX_DAYS 99999
|
||||
PASS_MIN_DAYS 0
|
||||
-PASS_MIN_LEN 5
|
||||
PASS_WARN_AGE 7
|
||||
|
||||
-#
|
||||
-# If "yes", the user must be listed as a member of the first gid 0 group
|
||||
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
|
||||
-# to uid 0 accounts. If the group doesn't exist or is empty, no one
|
||||
-# will be able to "su" to uid 0.
|
||||
-#
|
||||
-SU_WHEEL_ONLY no
|
||||
-
|
||||
#
|
||||
# Min/max values for automatic uid selection in useradd(8)
|
||||
#
|
||||
UID_MIN 1000
|
||||
UID_MAX 60000
|
||||
# System accounts
|
||||
-SYS_UID_MIN 101
|
||||
-SYS_UID_MAX 999
|
||||
+#SYS_UID_MIN 101
|
||||
+#SYS_UID_MAX 999
|
||||
# Extra per user uids
|
||||
SUB_UID_MIN 100000
|
||||
SUB_UID_MAX 600100000
|
||||
@@ -246,8 +128,8 @@ SUB_UID_COUNT 65536
|
||||
GID_MIN 1000
|
||||
GID_MAX 60000
|
||||
# System accounts
|
||||
-SYS_GID_MIN 101
|
||||
-SYS_GID_MAX 999
|
||||
+#SYS_GID_MIN 101
|
||||
+#SYS_GID_MAX 999
|
||||
# Extra per user group ids
|
||||
SUB_GID_MIN 100000
|
||||
SUB_GID_MAX 600100000
|
||||
@@ -255,6 +137,9 @@ SUB_GID_COUNT 65536
|
||||
|
||||
#
|
||||
# Max number of login(1) retries if password is bad
|
||||
+# This will most likely be overriden by PAM, since the default pam_unix module
|
||||
+# has it's own built in of 3 retries. However, this is a safe fallback in case
|
||||
+# you are using an authentication module that does not enforce PAM_MAXTRIES.
|
||||
#
|
||||
LOGIN_RETRIES 5
|
||||
|
||||
@@ -263,28 +148,6 @@ LOGIN_RETRIES 5
|
||||
#
|
||||
LOGIN_TIMEOUT 60
|
||||
|
||||
-#
|
||||
-# Maximum number of attempts to change password if rejected (too easy)
|
||||
-#
|
||||
-PASS_CHANGE_TRIES 5
|
||||
-
|
||||
-#
|
||||
-# Warn about weak passwords (but still allow them) if you are root.
|
||||
-#
|
||||
-PASS_ALWAYS_WARN yes
|
||||
-
|
||||
-#
|
||||
-# Number of significant characters in the password for crypt().
|
||||
-# Default is 8, don't change unless your crypt() is better.
|
||||
-# Ignored if MD5_CRYPT_ENAB set to "yes".
|
||||
-#
|
||||
-#PASS_MAX_LEN 8
|
||||
-
|
||||
-#
|
||||
-# Require password before chfn(1)/chsh(1) can make any changes.
|
||||
-#
|
||||
-CHFN_AUTH yes
|
||||
-
|
||||
#
|
||||
# Which fields may be changed by regular users using chfn(1) - use
|
||||
# any combination of letters "frwh" (full name, room number, work
|
||||
@@ -294,29 +157,6 @@ CHFN_AUTH yes
|
||||
CHFN_RESTRICT rwh
|
||||
|
||||
#
|
||||
-# Password prompt (%s will be replaced by user name).
|
||||
-#
|
||||
-# XXX - it doesn't work correctly yet, for now leave it commented out
|
||||
-# to use the default which is just "Password: ".
|
||||
-#LOGIN_STRING "%s's Password: "
|
||||
-
|
||||
-#
|
||||
-# Only works if compiled with MD5_CRYPT defined:
|
||||
-# If set to "yes", new passwords will be encrypted using the MD5-based
|
||||
-# algorithm compatible with the one used by recent releases of FreeBSD.
|
||||
-# It supports passwords of unlimited length and longer salt strings.
|
||||
-# Set to "no" if you need to copy encrypted passwords to other systems
|
||||
-# which don't understand the new algorithm. Default is "no".
|
||||
-#
|
||||
-# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
-# the PAM modules configuration.
|
||||
-#
|
||||
-# This variable is deprecated. You should use ENCRYPT_METHOD instead.
|
||||
-#
|
||||
-#MD5_CRYPT_ENAB no
|
||||
-
|
||||
-#
|
||||
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
|
||||
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
||||
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
||||
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
||||
@@ -326,66 +166,10 @@ CHFN_RESTRICT rwh
|
||||
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
|
||||
# Overrides the MD5_CRYPT_ENAB option
|
||||
#
|
||||
-# Note: If you use PAM, it is recommended to use a value consistent with
|
||||
+# Note: It is recommended to use a value consistent with
|
||||
# the PAM modules configuration.
|
||||
#
|
||||
-#ENCRYPT_METHOD DES
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
||||
-#
|
||||
-# Define the number of SHA rounds.
|
||||
-# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
-# However, more CPU resources will be needed to authenticate users if
|
||||
-# this value is increased.
|
||||
-#
|
||||
-# If not specified, the libc will choose the default number of rounds (5000),
|
||||
-# which is orders of magnitude too low for modern hardware.
|
||||
-# The values must be within the 1000-999999999 range.
|
||||
-# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
-# If MIN > MAX, the highest value will be used.
|
||||
-#
|
||||
-#SHA_CRYPT_MIN_ROUNDS 5000
|
||||
-#SHA_CRYPT_MAX_ROUNDS 5000
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
||||
-#
|
||||
-# Define the number of BCRYPT rounds.
|
||||
-# With a lot of rounds, it is more difficult to brute-force the password.
|
||||
-# However, more CPU resources will be needed to authenticate users if
|
||||
-# this value is increased.
|
||||
-#
|
||||
-# If not specified, 13 rounds will be attempted.
|
||||
-# If only one of the MIN or MAX values is set, then this value will be used.
|
||||
-# If MIN > MAX, the highest value will be used.
|
||||
-#
|
||||
-#BCRYPT_MIN_ROUNDS 13
|
||||
-#BCRYPT_MAX_ROUNDS 13
|
||||
-
|
||||
-#
|
||||
-# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
||||
-#
|
||||
-# Define the YESCRYPT cost factor.
|
||||
-# With a higher cost factor, it is more difficult to brute-force the password.
|
||||
-# However, more CPU time and more memory will be needed to authenticate users
|
||||
-# if this value is increased.
|
||||
-#
|
||||
-# If not specified, a cost factor of 5 will be used.
|
||||
-# The value must be within the 1-11 range.
|
||||
-#
|
||||
-#YESCRYPT_COST_FACTOR 5
|
||||
-
|
||||
-#
|
||||
-# List of groups to add to the user's supplementary group set
|
||||
-# when logging in from the console (as determined by the CONSOLE
|
||||
-# setting). Default is none.
|
||||
-#
|
||||
-# Use with caution - it is possible for users to gain permanent
|
||||
-# access to these groups, even when not logged in from the console.
|
||||
-# How to do it is left as an exercise for the reader...
|
||||
-#
|
||||
-#CONSOLE_GROUPS floppy:audio:cdrom
|
||||
+ENCRYPT_METHOD YESCRYPT
|
||||
|
||||
#
|
||||
# Should login be allowed if we can't cd to the home directory?
|
||||
@@ -401,12 +185,6 @@ DEFAULT_HOME yes
|
||||
#
|
||||
NONEXISTENT /nonexistent
|
||||
|
||||
-#
|
||||
-# If this file exists and is readable, login environment will be
|
||||
-# read from it. Every line should be in the form name=value.
|
||||
-#
|
||||
-ENVIRON_FILE /etc/environment
|
||||
-
|
||||
#
|
||||
# If defined, this command is run when removing a user.
|
||||
# It should remove any at/cron/print jobs etc. owned by
|
||||
@@ -415,59 +193,11 @@ ENVIRON_FILE /etc/environment
|
||||
#USERDEL_CMD /usr/sbin/userdel_local
|
||||
|
||||
#
|
||||
-# Enable setting of the umask group bits to be the same as owner bits
|
||||
-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
|
||||
-# the same as gid, and username is the same as the primary group name.
|
||||
+# If set to yes, userdel(8) will remove the user's group if it contains no more
|
||||
+# members, and useradd(8) will create by default a group with the name of the
|
||||
+# user.
|
||||
#
|
||||
-# This also enables userdel(8) to remove user groups if no members exist.
|
||||
+# Other former uses of this variable are not used in PAM environments, such as
|
||||
+# Debian.
|
||||
#
|
||||
USERGROUPS_ENAB yes
|
||||
-
|
||||
-#
|
||||
-# If set to a non-zero number, the shadow utilities will make sure that
|
||||
-# groups never have more than this number of users on one line.
|
||||
-# This permits to support split groups (groups split into multiple lines,
|
||||
-# with the same group ID, to avoid limitation of the line length in the
|
||||
-# group file).
|
||||
-#
|
||||
-# 0 is the default value and disables this feature.
|
||||
-#
|
||||
-#MAX_MEMBERS_PER_GROUP 0
|
||||
-
|
||||
-#
|
||||
-# If useradd(8) should create home directories for users by default (non
|
||||
-# system users only).
|
||||
-# This option is overridden with the -M or -m flags on the useradd(8)
|
||||
-# command-line.
|
||||
-#
|
||||
-#CREATE_HOME yes
|
||||
-
|
||||
-#
|
||||
-# Force use shadow, even if shadow passwd & shadow group files are
|
||||
-# missing.
|
||||
-#
|
||||
-#FORCE_SHADOW yes
|
||||
-
|
||||
-#
|
||||
-# Allow newuidmap and newgidmap when running under an alternative
|
||||
-# primary group.
|
||||
-#
|
||||
-#GRANT_AUX_GROUP_SUBIDS yes
|
||||
-
|
||||
-#
|
||||
-# Prevents an empty password field to be interpreted as "no authentication
|
||||
-# required".
|
||||
-# Set to "yes" to prevent for all accounts
|
||||
-# Set to "superuser" to prevent for UID 0 / root (default)
|
||||
-# Set to "no" to not prevent for any account (dangerous, historical default)
|
||||
-PREVENT_NO_AUTH superuser
|
||||
-
|
||||
-#
|
||||
-# Select the HMAC cryptography algorithm.
|
||||
-# Used in pam_timestamp module to calculate the keyed-hash message
|
||||
-# authentication code.
|
||||
-#
|
||||
-# Note: It is recommended to check hmac(3) to see the possible algorithms
|
||||
-# that are available in your system.
|
||||
-#
|
||||
-#HMAC_CRYPTO_ALGO SHA512
|
||||
-2
@@ -4,8 +4,6 @@ Subject: Document the shadowconfig utility
|
||||
|
||||
Status wrt upstream: The shadowconfig utility is debian specific.
|
||||
Its man page also (but it used to be distributed)
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
man/Makefile.am | 2 ++
|
||||
man/fr/Makefile.am | 1 +
|
||||
-2
@@ -11,8 +11,6 @@ in 4.9 merged those values from upstream's default configuration file
|
||||
which is not shipped in Debian.
|
||||
This patch keeps the program's compiled in defaults in sync with the
|
||||
configuration files shipped in Debian (debian/default/useradd).
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
man/useradd.8.xml | 2 +-
|
||||
src/useradd.c | 4 ++--
|
||||
-2
@@ -7,8 +7,6 @@ Fixes: #87648
|
||||
Status wrt upstream: Forwarded but not applied yet
|
||||
|
||||
Note: If removed, FAIL_DELAY must be re-added to /etc/login.defs
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
lib/getdef.c | 1 -
|
||||
src/login.c | 19 +++++--------------
|
||||
-2
@@ -5,8 +5,6 @@ Subject: Recommend using adduser and deluser
|
||||
Fixes: #406046
|
||||
|
||||
Status wrt upstream: Debian specific patch.
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
man/useradd.8.xml | 6 ++++++
|
||||
man/userdel.8.xml | 6 ++++++
|
||||
@@ -0,0 +1,123 @@
|
||||
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
|
||||
Date: Sat, 22 Jun 2024 17:39:41 +0200
|
||||
Subject: Relax usernames/groupnames checking
|
||||
|
||||
Allows any non-empty user/grounames that don't contain ':', ',', '\\' or
|
||||
'\n' characters and don't start with '-', '+', or '~'. This patch is
|
||||
more restrictive than original Karl's version. closes: #264879 Also
|
||||
closes: #377844
|
||||
|
||||
Comments from Karl Ramm (shadow 1:4.0.3-9, 20 Aug 2003 02:06:50 -0400):
|
||||
|
||||
I can't come up with a good justification as to why characters other
|
||||
than ':'s and '\0's should be disallowed in group and usernames (other
|
||||
than '-' as the leading character). Thus, the maintenance tools don't
|
||||
anymore. closes: #79682, #166798, #171179
|
||||
|
||||
Status wrt upstream: Debian specific. Not to be used upstream
|
||||
---
|
||||
lib/chkname.c | 47 +++++++++++++++--------------------------------
|
||||
man/groupadd.8.xml | 6 ++++++
|
||||
man/useradd.8.xml | 8 ++++++++
|
||||
3 files changed, 29 insertions(+), 32 deletions(-)
|
||||
|
||||
diff --git a/lib/chkname.c b/lib/chkname.c
|
||||
index 995562f..9954410 100644
|
||||
--- a/lib/chkname.c
|
||||
+++ b/lib/chkname.c
|
||||
@@ -54,44 +54,27 @@ static bool is_valid_name (const char *name)
|
||||
}
|
||||
|
||||
/*
|
||||
- * User/group names must match BRE regex:
|
||||
- * [a-zA-Z0-9_.][a-zA-Z0-9_.-]*$\?
|
||||
- *
|
||||
- * as a non-POSIX, extension, allow "$" as the last char for
|
||||
- * sake of Samba 3.x "add machine script"
|
||||
- *
|
||||
- * Also do not allow fully numeric names or just "." or "..".
|
||||
- */
|
||||
- int numeric;
|
||||
-
|
||||
- if ('\0' == *name ||
|
||||
- ('.' == *name && (('.' == name[1] && '\0' == name[2]) ||
|
||||
- '\0' == name[1])) ||
|
||||
- !((*name >= 'a' && *name <= 'z') ||
|
||||
- (*name >= 'A' && *name <= 'Z') ||
|
||||
- (*name >= '0' && *name <= '9') ||
|
||||
- *name == '_' ||
|
||||
- *name == '.')) {
|
||||
+ * POSIX indicate that usernames are composed of characters from the
|
||||
+ * portable filename character set [A-Za-z0-9._-], and that the hyphen
|
||||
+ * should not be used as the first character of a portable user name.
|
||||
+ *
|
||||
+ * Allow more relaxed user/group names in Debian -- ^[^-~+:,\\\s][^:,\\\s]*$
|
||||
+ */
|
||||
+ if ( ('\0' == *name)
|
||||
+ || ('-' == *name)
|
||||
+ || ('~' == *name)
|
||||
+ || ('+' == *name)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
- numeric = isdigit(*name);
|
||||
-
|
||||
- while ('\0' != *++name) {
|
||||
- if (!((*name >= 'a' && *name <= 'z') ||
|
||||
- (*name >= 'A' && *name <= 'Z') ||
|
||||
- (*name >= '0' && *name <= '9') ||
|
||||
- *name == '_' ||
|
||||
- *name == '.' ||
|
||||
- *name == '-' ||
|
||||
- (*name == '$' && name[1] == '\0')
|
||||
- )) {
|
||||
+ do {
|
||||
+ if ((':' == *name) || (',' == *name) || ('\\' == *name) || isspace(*name)) {
|
||||
return false;
|
||||
}
|
||||
- numeric &= isdigit(*name);
|
||||
- }
|
||||
+ name++;
|
||||
+ } while ('\0' != *name);
|
||||
|
||||
- return !numeric;
|
||||
+ return true;
|
||||
}
|
||||
|
||||
|
||||
diff --git a/man/groupadd.8.xml b/man/groupadd.8.xml
|
||||
index 61a548f..d472bd0 100644
|
||||
--- a/man/groupadd.8.xml
|
||||
+++ b/man/groupadd.8.xml
|
||||
@@ -71,6 +71,12 @@
|
||||
Fully numeric groupnames and groupnames . or .. are
|
||||
also disallowed.
|
||||
</para>
|
||||
+ <para>
|
||||
+ On Debian, the only constraints are that groupnames must neither start
|
||||
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
|
||||
+ colon (':'), a comma (','), or a whitespace (space:' ',
|
||||
+ end of line: '\n', tabulation: '\t', etc.).
|
||||
+ </para>
|
||||
<para>
|
||||
Groupnames may only be up to &GROUP_NAME_MAX_LENGTH; characters long.
|
||||
</para>
|
||||
diff --git a/man/useradd.8.xml b/man/useradd.8.xml
|
||||
index 17987a6..c98b214 100644
|
||||
--- a/man/useradd.8.xml
|
||||
+++ b/man/useradd.8.xml
|
||||
@@ -735,6 +735,14 @@
|
||||
<para>
|
||||
Usernames may only be up to 256 characters long.
|
||||
</para>
|
||||
+ <para>
|
||||
+ On Debian, the only constraints are that usernames must neither start
|
||||
+ with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a
|
||||
+ colon (':'), a comma (','), or a whitespace (space: ' ',
|
||||
+ end of line: '\n', tabulation: '\t', etc.). Note that using a slash
|
||||
+ ('/') may break the default algorithm for the definition of the
|
||||
+ user's home directory.
|
||||
+ </para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1 id='configuration'>
|
||||
-2
@@ -5,8 +5,6 @@ Subject: Set group and mode for [g]shadow files
|
||||
Set group 'shadow' and mode 0400.
|
||||
|
||||
Fixes: #166793
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
lib/commonio.c | 12 ++++++++++++
|
||||
lib/sgroupio.c | 2 +-
|
||||
-1
@@ -2,7 +2,6 @@ From: Nicolas FRANCOIS <nicolas.francois@centraliens.net>
|
||||
Date: Sat, 22 Jun 2024 17:39:41 +0200
|
||||
Subject: cppw: Add tool
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
po/POTFILES.in | 1 +
|
||||
src/Makefile.am | 2 +
|
||||
debian/patches/cppw-add-selinux-support.patch → debian/patches/debian/cppw-add-selinux-support.patch
Vendored
-2
@@ -4,8 +4,6 @@ Subject: cppw: add selinux support
|
||||
|
||||
Status wrt upstream: cppw is not available upstream.
|
||||
Needs to be reviewed by an SE-Linux aware person.
|
||||
|
||||
Gbp-Topic: debian
|
||||
---
|
||||
src/cppw.c | 28 ++++++++++++++++++++++++++++
|
||||
1 file changed, 28 insertions(+)
|
||||
+89
@@ -0,0 +1,89 @@
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Thu, 27 Jun 2024 01:23:05 +0200
|
||||
Subject: upstream testsuite: disable su tests
|
||||
|
||||
Debian uses su from util-linux, pointless/impossible to test shadow's su
|
||||
here.
|
||||
---
|
||||
tests/tests/run_some | 68 ----------------------------------------------------
|
||||
1 file changed, 68 deletions(-)
|
||||
|
||||
diff --git a/tests/tests/run_some b/tests/tests/run_some
|
||||
index 91f5626..a1e6e11 100755
|
||||
--- a/tests/tests/run_some
|
||||
+++ b/tests/tests/run_some
|
||||
@@ -63,74 +63,6 @@ echo "-: test failed"
|
||||
find "${build_path}" -name "*.gcda" -delete
|
||||
# ignore the result of the first test. ~magic~
|
||||
run_test ./su/01/su_user.test ignore_failure
|
||||
-run_test ./su/01/su_user.test
|
||||
-run_test ./su/01/su_root.test
|
||||
-find "${build_path}" -name "*.gcda" -exec chmod a+rw {} \;
|
||||
-run_test ./su/02/env_FOO-options_--login
|
||||
-run_test ./su/02/env_FOO-options_--login_bash
|
||||
-run_test ./su/02/env_FOO-options_--preserve-environment
|
||||
-run_test ./su/02/env_FOO-options_--preserve-environment_bash
|
||||
-run_test ./su/02/env_FOO-options_-
|
||||
-run_test ./su/02/env_FOO-options_-_bash
|
||||
-run_test ./su/02/env_FOO-options_-l-m
|
||||
-run_test ./su/02/env_FOO-options_-l-m_bash
|
||||
-run_test ./su/02/env_FOO-options_-l
|
||||
-run_test ./su/02/env_FOO-options_-l_bash
|
||||
-run_test ./su/02/env_FOO-options_-m_bash
|
||||
-run_test ./su/02/env_FOO-options_-m
|
||||
-run_test ./su/02/env_FOO-options_-p
|
||||
-run_test ./su/02/env_FOO-options_-p_bash
|
||||
-run_test ./su/02/env_FOO-options__bash
|
||||
-run_test ./su/02/env_FOO-options_
|
||||
-run_test ./su/02/env_FOO-options_-p-
|
||||
-run_test ./su/02/env_FOO-options_-p-_bash
|
||||
-run_test ./su/02/env_special-options_-l-p
|
||||
-run_test ./su/02/env_special-options_-l
|
||||
-run_test ./su/02/env_special-options_-l-p_bash
|
||||
-run_test ./su/02/env_special-options_-l_bash
|
||||
-run_test ./su/02/env_special-options_-p
|
||||
-run_test ./su/02/env_special-options_-p_bash
|
||||
-run_test ./su/02/env_special-options_
|
||||
-run_test ./su/02/env_special-options__bash
|
||||
-run_test ./su/02/env_special_root-options_-l-p
|
||||
-run_test ./su/02/env_special_root-options_-l-p_bash
|
||||
-run_test ./su/02/env_special_root-options_-l
|
||||
-run_test ./su/02/env_special_root-options_-l_bash
|
||||
-run_test ./su/02/env_special_root-options_-p
|
||||
-run_test ./su/02/env_special_root-options_-p_bash
|
||||
-run_test ./su/02/env_special_root-options_
|
||||
-run_test ./su/02/env_special_root-options__bash
|
||||
-run_test ./su/03/su_run_command01.test
|
||||
-run_test ./su/03/su_run_command02.test
|
||||
-run_test ./su/03/su_run_command03.test
|
||||
-run_test ./su/03/su_run_command04.test
|
||||
-run_test ./su/03/su_run_command05.test
|
||||
-run_test ./su/03/su_run_command06.test
|
||||
-run_test ./su/03/su_run_command07.test
|
||||
-run_test ./su/03/su_run_command08.test
|
||||
-run_test ./su/03/su_run_command09.test
|
||||
-run_test ./su/03/su_run_command10.test
|
||||
-run_test ./su/03/su_run_command11.test
|
||||
-run_test ./su/03/su_run_command12.test
|
||||
-run_test ./su/03/su_run_command13.test
|
||||
-run_test ./su/03/su_run_command14.test
|
||||
-run_test ./su/03/su_run_command15.test
|
||||
-run_test ./su/03/su_run_command16.test
|
||||
-run_test ./su/03/su_run_command17.test
|
||||
-run_test ./su/04/su_wrong_user.test
|
||||
-run_test ./su/04/su_user_wrong_passwd.test
|
||||
-run_test ./su/04/su_user_wrong_passwd_syslog.test
|
||||
-run_test ./su/05/su_user_wrong_passwd_syslog.test
|
||||
-run_test ./su/06/su_user_syslog.test
|
||||
-run_test ./su/07/su_user_syslog.test
|
||||
-run_test ./su/08/env_special-options_
|
||||
-run_test ./su/08/env_special_root-options_
|
||||
-run_test ./su/09/env_special-options_
|
||||
-run_test ./su/09/env_special_root-options_
|
||||
-run_test ./su/10_su_sulog_success/su.test
|
||||
-run_test ./su/11_su_sulog_failure/su.test
|
||||
-run_test ./su/12_su_child_failure/su.test
|
||||
-run_test ./su/13_su_child_success/su.test
|
||||
run_test ./libsubid/01_list_ranges/list_ranges.test
|
||||
run_test ./libsubid/02_get_subid_owners/get_subid_owners.test
|
||||
run_test ./libsubid/03_add_remove/add_remove_subids.test
|
||||
@@ -0,0 +1,22 @@
|
||||
From: Chris Hofstaedtler <zeha@debian.org>
|
||||
Date: Sat, 6 Jul 2024 23:35:51 +0200
|
||||
Subject: tests/libsubid/04_nss: fix setting basedir
|
||||
|
||||
---
|
||||
tests/libsubid/04_nss/Makefile | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
Index: shadow/tests/tests/libsubid/04_nss/Makefile
|
||||
===================================================================
|
||||
--- shadow.orig/tests/tests/libsubid/04_nss/Makefile
|
||||
+++ shadow/tests/tests/libsubid/04_nss/Makefile
|
||||
@@ -1,7 +1,7 @@
|
||||
all: test_nss libsubid_zzz.so
|
||||
|
||||
-BASE_TEST_DIR ?= $(shell git rev-parse --show-toplevel)
|
||||
-basedir := $(BASE_TEST_DIR)
|
||||
+BUILD_BASE_DIR ?= $(shell git rev-parse --show-toplevel)
|
||||
+basedir := $(BUILD_BASE_DIR)
|
||||
|
||||
test_nss: test_nss.c $(basedir)/lib/nss.c
|
||||
gcc -c -I$(basedir)/lib/ -I$(basedir)-o test_nss.o test_nss.c
|
||||
Vendored
+12
-7
@@ -1,7 +1,12 @@
|
||||
cppw-Add-tool.patch
|
||||
cppw-add-selinux-support.patch
|
||||
Let-pam_unix-handle-login-failure-delays.patch
|
||||
Set-group-and-mode-for-g-shadow-files.patch
|
||||
Keep-using-Debian-adduser-defaults.patch
|
||||
Document-the-shadowconfig-utility.patch
|
||||
Recommend-using-adduser-and-deluser.patch
|
||||
debian/cppw-Add-tool.patch
|
||||
debian/cppw-add-selinux-support.patch
|
||||
debian/Let-pam_unix-handle-login-failure-delays.patch
|
||||
debian/Set-group-and-mode-for-g-shadow-files.patch
|
||||
debian/Keep-using-Debian-adduser-defaults.patch
|
||||
debian/Document-the-shadowconfig-utility.patch
|
||||
debian/Recommend-using-adduser-and-deluser.patch
|
||||
debian/Relax-usernames-groupnames-checking.patch
|
||||
upstream/tests-Support-run_some-from-exported-tarball.patch
|
||||
debian/tests-disable-su.patch
|
||||
debian/tests-libsubid-04_nss-fix-setting-basedir.patch
|
||||
debian/Adapt-login.defs-for-Debian.patch
|
||||
|
||||
@@ -0,0 +1,148 @@
|
||||
From: Serge Hallyn <serge@hallyn.com>
|
||||
Date: Sat, 25 May 2024 08:40:11 -0500
|
||||
Subject: tests/: Support run_some from exported tarball
|
||||
|
||||
common/config.sh currently tries to find the top directory by looking
|
||||
for .git. There are also many places under tests/ where we use
|
||||
hard-coded ../../.. to find things like ${TOP_DIR}/lib.
|
||||
|
||||
We don't actually ship the tests with 'make dist'. So we will
|
||||
be exporting tests/ as a separate tarball. In particular, I want
|
||||
to then import this in the debian package. However, there it will
|
||||
be under shadow.git/debian/tests, not shadow.git/tests.
|
||||
|
||||
To support this, accept the environment variable BUILD_BASE_DIR,
|
||||
which should point to shadow.git.
|
||||
|
||||
An alternative would be to move the tests to their own git
|
||||
tree. However, keeping tests in separate git tree tends to
|
||||
lead to repos getting out of sync. And we'd still need to accept
|
||||
something like BUILD_BASE_DIR.
|
||||
|
||||
Note there are a lot of tests under run-all, which I'm not converting
|
||||
as they currently are not being run in CI, so I'm more likely to
|
||||
break something.
|
||||
|
||||
Changelog:
|
||||
2024 05 26: Incorporate feedback from alejandro-colomar
|
||||
|
||||
Link: <https://salsa.debian.org/debian/shadow/-/merge_requests/21>
|
||||
Link: <https://salsa.debian.org/debian/shadow/-/merge_requests/22>
|
||||
Cc: Chris Hofstaedtler <zeha@debian.org>
|
||||
Signed-off-by: Serge Hallyn <serge@hallyn.com>
|
||||
Signed-off-by: Alejandro Colomar <alx@kernel.org>
|
||||
---
|
||||
tests/tests/common/config.sh | 16 +++++++++-------
|
||||
tests/tests/libsubid/04_nss/Makefile | 13 ++++++++-----
|
||||
tests/tests/libsubid/04_nss/subidnss.test | 2 +-
|
||||
tests/tests/libsubid/04_nss/test_range | 12 ++++++------
|
||||
4 files changed, 24 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/tests/tests/common/config.sh b/tests/tests/common/config.sh
|
||||
index a2f8df0..926cdae 100644
|
||||
--- a/tests/tests/common/config.sh
|
||||
+++ b/tests/tests/common/config.sh
|
||||
@@ -2,14 +2,16 @@
|
||||
|
||||
set -e
|
||||
|
||||
-build_path=$(pwd)
|
||||
-while [ "${build_path}" != "/" -a ! -e "${build_path}/.git" ]; do
|
||||
- build_path=$(dirname ${build_path})
|
||||
-done
|
||||
-if [ ! -e "${build_path}/.git" ]; then
|
||||
- echo "Not inside git directory" 1>&2
|
||||
- exit 1
|
||||
+if [ -n "${BUILD_BASE_DIR}" ]; then
|
||||
+ build_path="${BUILD_BASE_DIR}"
|
||||
+else
|
||||
+ build_path=$(git rev-parse --show-toplevel)
|
||||
fi
|
||||
+if [ -z "${build_path}" ]; then
|
||||
+ echo "Failed to find build base path"
|
||||
+ exit 1
|
||||
+fi
|
||||
+export build_path
|
||||
|
||||
# Save the configuration files in tmp.
|
||||
save_config ()
|
||||
diff --git a/tests/tests/libsubid/04_nss/Makefile b/tests/tests/libsubid/04_nss/Makefile
|
||||
index dd5acf7..79c2fc9 100644
|
||||
--- a/tests/tests/libsubid/04_nss/Makefile
|
||||
+++ b/tests/tests/libsubid/04_nss/Makefile
|
||||
@@ -1,12 +1,15 @@
|
||||
all: test_nss libsubid_zzz.so
|
||||
|
||||
-test_nss: test_nss.c ../../../lib/nss.c
|
||||
- gcc -c -I../../../lib/ -I../../.. -o test_nss.o test_nss.c
|
||||
- gcc -o test_nss test_nss.o ../../../lib/.libs/libshadow.a -ldl
|
||||
+BASE_TEST_DIR ?= $(shell git rev-parse --show-toplevel)
|
||||
+basedir := $(BASE_TEST_DIR)
|
||||
+
|
||||
+test_nss: test_nss.c $(basedir)/lib/nss.c
|
||||
+ gcc -c -I$(basedir)/lib/ -I$(basedir)-o test_nss.o test_nss.c
|
||||
+ gcc -o test_nss test_nss.o $(basedir)/lib/.libs/libshadow.a -ldl
|
||||
|
||||
libsubid_zzz.so: libsubid_zzz.c
|
||||
- gcc -c -I../../../lib/ -I../../.. -I../../../libsubid libsubid_zzz.c
|
||||
- gcc -L../../../libsubid -shared -o libsubid_zzz.so libsubid_zzz.o ../../../lib/.libs/libshadow.a -ldl
|
||||
+ gcc -c -I$(basedir)/lib/ -I$(basedir) -I$(basedir)/libsubid libsubid_zzz.c
|
||||
+ gcc -L$(basedir)/libsubid -shared -o libsubid_zzz.so libsubid_zzz.o $(basedir)/lib/.libs/libshadow.a -ldl
|
||||
|
||||
clean:
|
||||
rm -f *.o *.so test_nss
|
||||
diff --git a/tests/tests/libsubid/04_nss/subidnss.test b/tests/tests/libsubid/04_nss/subidnss.test
|
||||
index 3d40dc8..400171f 100755
|
||||
--- a/tests/tests/libsubid/04_nss/subidnss.test
|
||||
+++ b/tests/tests/libsubid/04_nss/subidnss.test
|
||||
@@ -9,7 +9,7 @@ cd $(dirname $0)
|
||||
|
||||
make
|
||||
|
||||
-export LD_LIBRARY_PATH=.:../../../lib/.libs:$LD_LIBRARY_PATH
|
||||
+export LD_LIBRARY_PATH=.:${build_path}/lib/.libs:$LD_LIBRARY_PATH
|
||||
|
||||
./test_nss 1
|
||||
./test_nss 2
|
||||
diff --git a/tests/tests/libsubid/04_nss/test_range b/tests/tests/libsubid/04_nss/test_range
|
||||
index ee25080..45a791c 100755
|
||||
--- a/tests/tests/libsubid/04_nss/test_range
|
||||
+++ b/tests/tests/libsubid/04_nss/test_range
|
||||
@@ -11,23 +11,23 @@ cleanup1() {
|
||||
umount /etc/nsswitch.conf
|
||||
}
|
||||
trap cleanup1 EXIT HUP INT TERM
|
||||
-../../../src/check_subid_range user1 u 100000 65535
|
||||
+${build_path}/src/check_subid_range user1 u 100000 65535
|
||||
if [ $? -ne 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
-../../../src/check_subid_range user2 u 100000 65535
|
||||
+${build_path}/src/check_subid_range user2 u 100000 65535
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
-../../../src/check_subid_range unknown u 100000 65535
|
||||
+${build_path}/src/check_subid_range unknown u 100000 65535
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
-../../../src/check_subid_range error u 100000 65535
|
||||
+${build_path}/src/check_subid_range error u 100000 65535
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
-../../../src/check_subid_range user1 u 1000 65535
|
||||
+${build_path}/src/check_subid_range user1 u 1000 65535
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
@@ -43,7 +43,7 @@ cleanup2() {
|
||||
umount /etc/nsswitch.conf
|
||||
}
|
||||
trap cleanup2 EXIT HUP INT TERM
|
||||
-../../../src/check_subid_range user1 u 100000 65535
|
||||
+${build_path}/src/check_subid_range user1 u 100000 65535
|
||||
if [ $? -eq 0 ]; then
|
||||
exit 1
|
||||
fi
|
||||
Vendored
+1
-15
@@ -24,7 +24,7 @@ DEB_CONFIGURE_EXTRA_FLAGS := \
|
||||
--without-tcb \
|
||||
|
||||
|
||||
ifneq ($(DEB_HOST_ARCH_OS),linux)
|
||||
ifeq ($(DEB_HOST_ARCH_OS),linux)
|
||||
DEB_CONFIGURE_EXTRA_FLAGS += --enable-logind
|
||||
DEB_CONFIGURE_EXTRA_FLAGS += --with-audit
|
||||
endif
|
||||
@@ -44,26 +44,12 @@ CFLAGS += -DDEFAULT_EDITOR="\"sensible-editor\""
|
||||
override_dh_auto_configure:
|
||||
dh_auto_configure -- $(DEB_CONFIGURE_EXTRA_FLAGS)
|
||||
|
||||
override_dh_install-arch:
|
||||
ifneq ($(DEB_HOST_ARCH_OS),linux)
|
||||
sed -i 's/session optional pam_keyinit.so/# Linux only # session optional pam_keyinit.so/' debian/login.pam
|
||||
endif
|
||||
dh_install -a
|
||||
ifeq ($(DEB_HOST_ARCH_OS),hurd)
|
||||
# /bin/login is provided by the hurd package.
|
||||
rm -f debian/login/usr/bin/login
|
||||
endif
|
||||
|
||||
override_dh_installpam:
|
||||
# Distribute the pam.d files; unless for the commands with disabled PAM
|
||||
# support
|
||||
dh_installpam -p login
|
||||
dh_installpam -p passwd --name=passwd
|
||||
dh_installpam -p passwd --name=chfn
|
||||
dh_installpam -p passwd --name=chsh
|
||||
dh_installpam -p passwd --name=chpasswd
|
||||
dh_installpam -p passwd --name=newusers
|
||||
|
||||
override_dh_auto_clean:
|
||||
sed -i 's/# Linux only # //' debian/login.pam
|
||||
dh_auto_clean
|
||||
|
||||
Vendored
+6
@@ -0,0 +1,6 @@
|
||||
# debputy does not need misc:Depends
|
||||
debhelper-but-no-misc-depends libsubid-dev
|
||||
debhelper-but-no-misc-depends libsubid5
|
||||
debhelper-but-no-misc-depends login.defs
|
||||
debhelper-but-no-misc-depends passwd
|
||||
debhelper-but-no-misc-depends uidmap
|
||||
Vendored
+9
-1
@@ -1,2 +1,10 @@
|
||||
Tests: smoke
|
||||
Restrictions: needs-root superficial
|
||||
Restrictions: needs-root, superficial
|
||||
|
||||
Tests: upstream
|
||||
Depends:
|
||||
expect,
|
||||
procps,
|
||||
@,
|
||||
@builddeps@
|
||||
Restrictions: needs-root, build-needed, breaks-testbed, allow-stderr, isolation-machine
|
||||
|
||||
+15
@@ -0,0 +1,15 @@
|
||||
#!/bin/sh
|
||||
useradd ubuntu
|
||||
|
||||
export BUILD_BASE_DIR=$(pwd)
|
||||
|
||||
cd tests
|
||||
|
||||
cleanup() {
|
||||
cp testsuite.log $AUTOPKGTEST_ARTIFACTS/
|
||||
cat testsuite.log
|
||||
}
|
||||
|
||||
trap cleanup TERM EXIT
|
||||
|
||||
./run_some 2>&1
|
||||
Reference in New Issue
Block a user